One reason for reCAPTCHA’s initial widespread use was that it was free; any company doing businesses digitally that wants a modicum of bot protection could integrate it on the login or registration pages without investing a dime. Certainly, it makes maintaining tight fraud budgets easier.
However, that’s not entirely true anymore; Google released reCAPTCHA Enterprise to general availability this year, which is free for only up to 1 million assessments per month.
According to its own description, Google uses “an advanced risk analysis engine” to determine the suspicion level of traffic to a website. Any traffic that is deemed suspicious is served a reCAPTCHA enforcement challenge. This can entail either only clicking the “I’m not a robot” box, or doing that as well picking out mundane everyday items from a grid. Here are a few common issues that arise with this approach.
Good users are often classified as suspicious
Google’s “advanced risk analysis” noted above is heavily dependent on the use of Google cookies, researchers have noted. That means if you are a Chrome user, or are logged into a Google account such as Gmail, Google knows much more about you and how “suspicious” your web activity is. So users of Google products and services will likely bypass any reCAPTCHA challenge.
Bots have become adept at solving puzzles
Image recognition software has gotten so advanced that it can easily solve most reCAPTCHAs with little difficulty. And it's easy to get a hold of software to do just that; a simple web search for bots that solve reCAPTCHA turns up dozens of results, some of which offer access to automated scripts for as little as $20/year. In 2016, an American computer science professor used off-the-shelf image recognition tools to solve Google’s image CAPTCHAs with 70 percent accuracy.
A new and Better reCAPTCHA?
In response to many of these concerns, Google in 2018 rolled out V.3 of its security solution, and the Enterprise version this year. So how exactly is it different?
The biggest change is that it aims to show far less challenges. Instead, it works “invisibly” in the background, constantly monitoring user behavior to determine whether each visit to a site is a human or a bot. Google then returns a risk score to website administrators between 0 and 1 -- 0 means you’re definitely a bot, 1 means you’re definitely a human, and in between is a very large gray area. Website admins then must decide what to do based on the score they receive for each user.
It still favors users of Google products
Much like its previous iteration, new versions of reCAPTCHA still largely use whether you have Google cookies on your browser to determine if you are suspicious or not. According to a Fast Company article, “With reCAPTCHA v3, technology consultant Marcos Perona and Mohamed Akrout’s tests both found that their reCaptcha scores were always low risk when they visited a test website on a browser where they were already logged into a Google account.”
So, once again, those using other browsers than Chrome, or tools to maintain online privacy, will likely face friction.
Furthermore, it should be noted that any environment that doesn’t enable cookies will automatically lead to much higher instances of good users seeing reCAPTCHA challenges. This includes when authenticating on iOS and Android apps, as well as desktop applications, such as launching apps for PC video games.
This is also an issue for users in places where Google does not have a presence. Take China, where Google is banned. It’s one of the largest economies and consumer markets in the globe. Since there’s no Google there, there’s no Google cookies so users almost always have to solve challenges. It’s plainly apparent that a cookies-based approach to authentication is not viable in the long term.
It’s still the same challenge
So, what do you do for users that get assigned a high-risk score? Well, you have a few options. One is to serve them a challenge...which is exactly the same reCAPTCHA it has always been. So really, any business deploying new versions is still going to have only the same old reCAPTCHA grid with picking crosswalks available to them if they want to serve a challenge to suspected suspicious traffic.
Website operators can also choose to trigger two-factor authentication for those with low scores, but this provides even more friction to potential good users than solving a CAPTCHA. Good users successfully pass 2FA only about 66% of the time.
A “Black Box” with No Data
The main issue with a risk scoring system is one that has long been an issue for users of reCAPTCHA or many other services: There is no insight or analysis of data. Google can tell you if it thinks someone is suspicious, but not what to do about it. If you are a website admin, at what score do you draw the line for challenging a user? Is it .15? .25? Ultimately, any website using reCAPTCHA will end up either blocking too many good users or being too lax and letting too many fraudsters through.
Businesses need insight into attack patterns, in order to evolve to stop the same threats in the future. Without a constant feedback loop refining the accuracy of its risk scores, reCAPTCHA or other solutions does not learn or evolve to defend against the ever-changing threat landscape.
What an Effective, Modern Bot Prevention Solution Looks Like
To effectively manage fraud and abuse in this rapidly evolving ecosystem, businesses need a long-term approach that evolves with attack patterns, instead of playing a constant game of whack-a-mole with fraud attacks.
That’s why Arkose Labs takes a different approach; rather than traditional “fraud mitigation” we aim to bankrupt the business model of fraud entirely. By removing the ROI for fraud attacks, fraudsters are compelled to abandon attacking your site and attack someone else. These are the steps Arkose Labs takes to ensure fraudsters are foiled and good customers aren’t frustrated.
Accurate Classification:
Risk scores based on identity fail to stop modern, fraud attacks. Arkose Labs analyzes hundreds of data points around behavior to create “telltales” to determine whether a user is suspicious or not. This is partially informed by data from our global network of dozens of clients, where we create telltales of known previous attacks. Arkose Labs also can implement industry-specific telltales customized for individual merchants based upon their business model and industry Traffic is then segmented based on whether it is likely to be legitimate, a bot, or human sweatshop, which informs the platform of any required secondary screening and the type of enforcement challenge shown.
Challenge and interact:
To understand the intent of traffic in a deterministic way, secondary screening must be paired with the risk assessment stage. The platform tests and challenges high-risk traffic using interactive technology that causes all automated attacks to fail. Meanwhile, increasingly complex challenges are served to human sweatshop workers, which increases the amount of time it takes them to complete a task, thus reducing their ROI. This leads them to abandon their attacks. Challenges can either be timed (to stop queued solve pipelines) or take a long period of human attention to solve (to sap efficiency). The platform tailors the type of challenge based on the nature of the sweatshop attack. In the first half of 2020 alone, Arkose Labs has wasted more than 30 million hours of human sweatshop workers' time.
The small number of good users who may see a challenge will be able to solve it on average in less than 3 seconds. Our challenges are also designed with gamification principles -- meaning they are fun to solve, unlike CAPTCHAs. They can also appear as brand-specific challenges, which enhances the customer experience.
Recommended Blog: What Are Captchas? Are They Still Relevant in 2020?
Evolving Platform:
The Arkose Labs platform combines risk assessments with challenges, which creates a continuous feedback loop to improve fraud detection rates while decreasing challenge rates for good users. Embedded machine learning will provide advanced anomaly detection and evolving protection, taking the burden away from in-house teams. The feedback loop also ensures that any good user that does see a challenge, will not continue to do so in the future after they have solved it the first time. The Arkose Truth Data API can also be used to send data to validate if a user ultimately was fraudulent or not, which can be used to further train appropriate defenses for future or ongoing attacks.
Clients also benefit from real-time logging (RTL), which is the detailed logs of user activity provided by Arkose Labs' servers. These logs are sent to a client-specified endpoint, which may be a server you run directly, or a third-party service designed to digest and package logging data for analysis.
The RTL data is made up of events. Each event is tagged with a unique session token that ties it to a user. The events are sent in real-time and cover the entire user experience, from Arkose Labs session creation to the session verification attempt. Included in the RTL data is telemetry data about the user, including what has been learned from the user's presence elsewhere on the Arkose Labs network. If the user was given an elevated security level, the reasons for that are also included.
And since we don’t block any traffic, instead of challenging suspicious traffic, it means false positives are drastically reduced and our customers don’t have to worry about being blocked.
The Arkose Labs Fraud and Abuse Defence Platform does not just mitigate the effects of fraud but provides powerful remediation which eradicates 100% of automated traffic, and enables businesses to deflect attacks from skilled cybercriminals and sweatshop outfits. To learn more about how we can help or to book a demo, click here.
